SonicWall Capture Labs Threat Research team observed yet another Android malware campaign that targets a bank , this time the target being Raiffeisen Bank. This campaign uses the Android banking trojan MazarBot - which first made its appearance in 2016 - to infect the victim's device. This malware has capabilities of executing a number of hard-coded commands which are focused on stealing the victim's personal information.

Infection Cycle - Stage I

The victim receives a spam email requesting him to enter the Raiffeisen banking login credentials. The credentials are stolen and sent to the attacker if the user is not careful enough and trusts the fake webpage to be authentic. The next page requests the victim to install an Android security app related to Raiffeisen, which is essentially Mazarbot in disguise. The app was hosted on the following URL which has now been taken down:

hxxp://banking.raiffeisen.at.updateid0891203.pw/download.php

Infection Cycle - Stage II

The malware app requests for the following permissions during installation:

change network state

uses policy force lock

bluetooth

internet

access fine location

send sms

write sms

access network state

write external storage

get package size

read external storage

receive boot completed

vibrate

call phone

write settings

read phone state

read sms

battery stats

access wifi state

wake lock

change wifi state

receive sms

read contacts

use sip

Upon execution the malware requests for Device Administrative privileges:
We analyzed a couple of malicious samples belonging to this campaign, the code in each one of them follows different format. However every sample shares a common trait - the code is confusing to follow because of jumbled class and variable names:
There are a number of hardcoded commands in these samples, for one such sample the malware masquerades these commands in the code by appending **83Y**:
De-obfuscating this part of the code reveals a number of hardcoded commands indicating that this malware follows a bot structure, some of the interesting findings are as follows:

aT = a("Bot is not able to run that command");

Grab device related information

bc = a("get_packages");

bd = a("get_device_model");

be = a("get_os_ver");

bf = a("get_number");

bg = a("get_operator");

bh = a("get_imei");

bi = a("get_country");

bj = a("get_contacts");

bk = a("get_language");

dj = a("imei");

dl = a("getSimOperatorName");

dm = a("getNetworkOperatorName");

Capture Credit Card related information

bn = a("mastercard");

bo = a("visa");

bp = a("amex");

bq = a("Incorrect credit card number");

cf = a("send_card_number");

cg = a("number");

ch = a("month");

ci = a("year");

cj = a("cvc")

Monitor specific apps

ck = a("com.paypal.android.p2pmobile"); - Paypal

cl = a("com.android.vending"); - Google Play

Capture SMS messages related commands

cV = a("base_sms_intercept");

cW = a("createFromPdu");

cX = a("processIncomingMessages");

dk = a("getMessageBody");

Tamper contacts detail

cS = a("UploadContactsRequest");

cT = a("inject_id");

cU = a("body");

Check if the malware is being run on a virtual environment/debugger

es = a("isDeb");

et = a("generic");

eu = a("unknown");

ev = a("google_sdk");

ew = a("Emulator");

ex = a("Android SDK built for x86");

ey = a("Genymotion");

ez = a("sdk");

eA = a("sdk_x86");

eB = a("vbox86p");

eC = a("golfdish");

eD = a("ranchu");

eE = a("android|emergency calls only|fakecarrier");

eF = a("Debug");

eG = a("ugger");

bB = a("screen_lock");

Overall this campaign uses phishing pages for Raiffeisen Bank to spread its infection. It focuses on stealing sensitive user related information which is stored on the infected device. It is likely that this campaign spreads via other phishing webpages belonging to other banks/establishments.

SonicWall Capture Labs Threat Research team provides protection against this threat via the following signatures: